Cyber Counterintelligence: From Theory to Practice

In the previous article, Cyber Intelligence Collection Operations, the types of collection and the types of data that could be obtained were discussed. At the end of the discussion I pointed out that analysts must be critical of the data they evaluate as at any time it could be compromised.

Specifically, adversary actors could employ counterintelligence or deception type techniques to push analysts to draw wrong conclusions or discount the data entirely. In this article we will cover this topic of Cyber Counterintelligence (CCI) and discuss its two main branches: Offensive CCI and Defensive CCI.

Counterintelligence is as old of a tradecraft as intelligence operations. The concept is simple: provide protection against foreign intelligence operations. The goal with counterintelligence is to prevent, deter, defeat, or manipulate the adversary from conducting intelligence operations on you, those you protect, or your organization to include its operations.

With the unique aspects of cyberspace though, we have to draw some contrasts between traditional counterintelligence and cyber counterintelligence. Many compromises and data loss scenarios are intrusions and espionage attempts for the purpose of some type of economic or political gain even if not orchestrated by a foreign government.

If we limited CCI to only focus on intrusions by adversary foreign governments or intelligence services many of the scenarios would be overlooked. However, we cannot simply apply all defensive actions meant to prevent intrusions into the field of CCI. If we labeled CCI as all efforts related to stopping intrusions then CCI would become an overused term and the skillset would not be restricted in a useful way; an overused term and tradecraft quickly loses benefit to an organization.

Therefore, CCI could best be described as the tradecraft and actions employed to identify and protect against an adversary’s cyber intelligence collection operations. There is a focus here not only on the intrusion but the intent of the intrusion and tradecraft used.

Defensive Cyber Counterintelligence

Defensive CCI can be thought of as actions taken to identify and counter adversary intrusions before they occur as well as the efforts in identifying and minimizing the threat landscape. In many ways this seems like the role of many cyber security actions: bolster defenses and prevent an intrusion.

However, the intent of Defensive CCI is to understand the adversary and minimize the threat landscape to which they might exploit; the product of this effort is usually reports and analyses that defenders can use to complement their overall personnel, network, and information security.

One of the most performed Defensive CCI actions is a red team assessment. Think of the team that is tasked to perform a network assessment to determine where weak points exist and where an adversary might gain access to information systems.

The red team must have an understanding of adversary tactics, techniques, and procedures to accurately act like the adversary. The red team looks at the network (to include those that operate on it) and information systems, they evaluate the security systems in place, and they bypass the defenses to infiltrate the target.

The assessment that they provide when they are done helps network defenders to know where extra security systems or controls are needed and better prepare for adversaries. In essence, the red team helped identify the threat landscape to the organization and inform the organization on how they could reduce it.

Performing regular vulnerability assessments internally or externally is another way to help accomplish this; the vulnerability assessment does not fix the issues but instead identifies where and how adversaries might attempt an intrusion. The real power in these actions comes in the analysis of the CCI analysts though and not simply the automated reports.

A second example of a Defensive CCI action is the performing of threat analysis. Threat analysis should be performed with all available information whether it is from OSINT, HUMINT, or technical analysis performed through things such as reverse engineering malware.

Threat intelligence is largely a Defensive CCI type effort; threat intelligence analysts track and understand threats such as the APT1 group identified by Mandiant. With an understanding of the threat, their capabilities and tactics, and their intelligence collection operations it is possible to proactively encourage network defenses thus thwarting their intrusion attempts.

Offensive Cyber Counterintelligence

Offensive CCI can be thought of as interactions with the adversary to directly collect information about their intelligence collection operations or to deceive them. Offensive CCI can be leveraged in a number of ways including the use of sock puppets (or fake personas) on online forums to gather information about adversary intelligence collection operations (capabilities, victims, tactics, etc.), the flipping of adversary operators into double agents to infiltrate the adversary’s operation, or in publishing false reports and information to deceive adversary intrusion attempts.

These efforts can be performed both inside and outside of your networks. For example, an Offensive CCI operation could be run to identify or mitigate adversaries already in your network. An Offensive CCI team could help create a honeypot inside your network to identify malicious actors on the network.

Additionally, the Defense CCI team could place files in the honeypot that the adversary might be interested in but which contain fake or incorrect data. The adversary would retrieve the files with the fake information, possibly corporate intellectual property such as a secret recipe, believing it to be real.

The deception that occurred, in this case the fake recipe, bought the defense teams valuable time, indicated the presence of the adversary, deceived the adversary possibly having them put the fake recipe into production, and in a perfect scenario the adversary would produce the fake recipe publicly helping to establish attribution on the adversary.

It is possible to incorporate Offensive CCI thinking and understanding into otherwise unrelated operations as well. Deception and false indicators to deceive and delay adversaries during a computer network operation can be invaluable. Take for example Kaspersky Lab’s examination of “The Mask” malware campaign.

In this example, the Kaspersky Lab analysts determined that the vast number of victims in South America as well as the use of native Spanish language in the code of the malware indicated that the adversary was likely Spanish. The advanced nature of the Mask computer network operation and the cost that would be associated with it contributed to the idea that a government organization ran the operation.

Therefore, the analysts concluded the adversary actor was likely the Spanish government. There was a lot of good analysis and technical knowledge used by the Kaspersky Lab analysts; they also likely had other information which they did not publish that complimented their decisions.

However, from a purely hypothetical stance let’s view this data from the lens of Offensive CCI thinking. If we think of the Kaspersky Lab team as the “adversary intelligence program” to the government that launched the Mask, an Offensive CCI team could be used in concert with the Mask campaign.

Malware development and campaign operators could be encouraged to introduce information meant to deceive their adversaries (in this case the Kaspersky Lab team). With an understanding of intrusion analysis and threat intelligence, the Offensive CCI team could advise for the inclusion of Spanish language into the code and the targeting of South American victims.

These efforts would not include interaction directly with the adversary, the Kaspersky team, but instead the planting of false information could impact adversaries indirectly at a later time. In this scenario, the attribution applied in the report would be incorrect and valuable analysis time would be lost thus countering the intelligence efforts of the Kaspersky team while protecting the government’s operation.

I do not believe this was the case with the Mask report and I have a great deal of respect for the analysis skills of the Kaspersky team members I’ve met but it is a good hypothetical example that shows the benefit of Offensive CCI thinking placed into other operations.

From Theory to Practice

As has been a theme of this blog series, it is important to point out the role of analysis over set actions. The field of Cyber Counterintelligence is broad and relatively new, although admittedly counterintelligence tradecraft is not. It is difficult to set up and run a CCI team effectively while producing actionable effects and worthwhile intelligence for organizations.

Many organizations struggle to effectively perform proper architecture and maintenance of their systems as well as the proper acquisition and use of traditional defense systems let alone the establishment of advanced teams. Mitigating these common failures provide more return on investment than the use of more advanced teams and thought processes alone.

However, innovative ways of approaching defense, the viewing of problems in a different way, and the use of critical analysis skills such as CCI is highly important even when used outside of a dedicated CCI team. It may not be practical for smaller organizations to have a CCI team but it is incredibly practical to have discussions on the thought processes of such a team.

The knowledge of red team and blue team operations as well as understanding the benefit in reducing the threat landscape and trying to deceive the adversary is incredibly important to network defense. Training analysts to think critically instead of just applying a set tool to a set scenario will yield amazing results.

A perfect example of this type of critical thinking applied to cyber intelligence is threat intelligence which will be discussed in the next blog in this series.

About the Author:Robert M. Lee (@RobertMLee) is an Adjunct Lecturer at Utica College. He is also Co-Founder of Dragos Security LLC, a cyber security company which develops tools and research for the control system community. Additionally, Robert is an active-duty U.S. Air Force Cyberspace Operations Officer – his views and this article are his own and do not represent or constitute an opinion by the U.S. Government, DoD, or USAF. He has published and presented on cyber security topics in publications and conferences around the world, and is the author of SCADA and Me.

Editor’s Note:The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.